The current pace of dependency churn, particularly within the LLM agent ecosystem where tools like LangChain or LlamaIndex often pull in loosely pinned transitive dependencies, has made manual monitoring of advisories untenable. While we have automated scanners integrated into CI/CD, the signal-to-noise ratio is poor, and critical vulnerabilities can be missed between scheduled scans or merge events.

To address this, I constructed a lightweight internal service that provides real-time, filtered vulnerability notifications. The core principle is to subscribe to authoritative feeds, apply a severity and package scope filter, and push concise alerts to our operations channel. This is not a replacement for a full-fledged Software Composition Analysis (SCA) platform but serves as a critical early-warning system.

The implementation consists of three primary components:
1. **Feed Ingestion:** Pulls from the OSV.dev API, which aggregates GitHub Security Advisories, PyPI advisories, and the NVD. We fetch on a cron schedule, but the API's timestamp query parameter makes incremental updates efficient.
2. **Filtering Engine:** Applies our team's policy. A vulnerability must meet all criteria to trigger a notification:
* Severity rating of "CRITICAL" or "HIGH" per CVSS v3.1.
* Affected package resides within our pre-audited, pinned dependency list for active projects.
* The vulnerability type is relevant to our runtime (e.g., remote code execution, privilege escalation; ignoring DOS in isolated containers unless it impacts isolation boundaries).
3. **Notification Layer:** Formats a structured message and delivers it via a simple HTTP webhook to our Mattermost server (easily adaptable for Slack or Discord).

Below is the core filtering logic, written in Python, which we run as a scheduled Kubernetes CronJob.

```python
import requests
import os
import json
from datetime import datetime, timedelta

# Config
OSV_ENDPOINT = "https://api.osv.dev/v1/query"
PINNED_DEPS_FILE = "/config/pinned_deps.json"
SEVERITY_THRESHOLD = ["CRITICAL", "HIGH"]
WEBHOOK_URL = os.getenv("MATTERMOST_WEBHOOK")

def load_pinned_deps():
"""Load our curated list of monitored packages and versions."""
with open(PINNED_DEPS_FILE) as f:
return json.load(f)

def check_vuln(pkg_name, pkg_version, vuln):
"""Evaluate if a vulnerability entry meets our notification criteria."""
# Check severity
severity = vuln.get('severity', [])
if not any(s.get('type') == 'CVSS_V3' and s.get('score') >= 7.0 for s in severity):
# Fallback: check if any severity string matches our threshold
sev_strings = [s.get('type', '') for s in severity]
if not any(any(th in s.upper() for s in sev_strings) for th in SEVERITY_THRESHOLD):
return False

# Check if package is in our pinned list and version is affected
pinned = load_pinned_deps()
if pkg_name in pinned:
affected_versions = vuln.get('affected', [])
for entry in affected_versions:
if entry.get('package', {}).get('name') == pkg_name:
# Simplified version check; for production, use a version range parser.
if pkg_version in entry.get('versions', []):
return True
return False

def main():
pinned_deps = load_pinned_deps()
for pkg, version in pinned_deps.items():
# Query OSV for this specific package/version (batch query is also possible)
query = {"package": {"name": pkg, "ecosystem": "PyPI"}, "version": version}
resp = requests.post(OSV_ENDPOINT, json=query)
if resp.status_code == 200:
vulns = resp.json().get('vulns', [])
for vuln in vulns:
if check_vuln(pkg, version, vuln):
# Construct and send alert
alert = {
"text": f"**Critical Vulnerability Alert**n**Package:** `{pkg}=={version}`n**ID:** {vuln.get('id')}n**Summary:** {vuln.get('summary', 'N/A')[:200]}n**Link:** {vuln.get('references', [{}])[0].get('url', '')}"
}
requests.post(WEBHOOK_URL, json=alert)
```

This system has already flagged several high-severity issues in transitive dependencies that our weekly SCA scan had not yet ingested. The key is the curated dependency list; we only monitor packages that have passed our initial audit and are pinned in our production manifests. This reduces alert fatigue significantly. I am considering extending it to also monitor for newly added dependencies that lack a pin, which is a common policy violation during rapid prototyping phases.